Am Mi 11.07.2012, 22:10:11 schrieb Daniel Kahn Gillmor: > If the attacker can convince you to sign a chosen text (perhaps one that > looks reasonable), then a failure in the digest's collision-resistance > could very well be used to replay that signature over a different (but > colliding) text (which may not be something reasonable). This does not > require a preimage collision.
But that is a problem only in that case that a collision algorithm is capable of creating (mostly – some "random" data may be hidden in comments) useful data, isn't it? I am not familiar with the collision algorithms. Is all the effort useless if the reasonable document is slightly changed? I guess so. Does it make sense to require every document which one is to sign to be slightly changed (even if it's just a "typo" but this change would have to be determined by oneself not by the other party) before signing? > I'm not saying these attacks exist practically today against SHA1 (i > don't know if they do), but collision-resistance is the relevant > property, not resistance to pre-image attacks. But the problem of collision-resistance can be addressed organizationally, pre-image attacks cannot. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users